Cisco Anyconnect and WebVPN

AnyConnect and WebVPN are perhaps the best features of the ASA appliances in my mind. Before we dive into the Anyconnect and WebVPN “How to” I thought it might be best to give a brief description of what each feature is and how they work together. There seems to be some confusion between the two in regards to what they actually are as well as how they are licensed.

WebVPN – WebVPN gives users secure access to the ASA SSL portal. For those of you who have already connected to an Anyconnect VPN session you know that you first need to log into a web portal. Once logged in, you can launch the Anyconnect Application which downloads the thin client and connects you to the corporate VPN. In addition to Anyconnect, there are several other applications that can be installed in the portal. For instance, there is a RDP (MS’s Remote Desktop) and SSH/Telnet application which means that you can access remote resource on your company’s local network without connecting to Anyconnect first. We’ll walk through how to configure those at a later point. Basically, you need a license to connect to the WebVPN portal and then an additional SSL VPN license to use Anyconnect. Base model ASA’s came with 2 of each. I will note here that this isn’t nearly as confusing since I upgraded to 8.2 code. In previous code releases a show version displayed two separate license counts, one for WebVPN and one for SSL VPN. Regardless of how you were connected and what features you were using the license counts appeared to always show the same number. In 8.2 there is no longer a license count for WebVPN, which clears up some of the confusion. Bottom Line, WebVPN is the portal you login into through SSL

AnyConnect – Anyconnect is the actual application you can access from within the web portal that allows true VPN connectivity back to your company’s network. However you only need to access it through the web portal once if you intend on using the same machine. Once you connect through the portal the Anyconnect client is downloaded and installed on the machine you are working on. Then if all you want to do is connect to the VPN you can simply open the Anyconnect application, which by default is installed in the Cisco program group under All Programs. Anyconnect is the next generation of VPN clients. Cisco has stopped support for its standard IPSec client VPN app in 64 bit OS’s. To me, this is a pretty clear indication that Cisco wants us to use Anyconnect going forward for client VPN connections. There are a lot of new options like SD (Secure Desktop) and pre-login checks which allow you to check the host system for a variety of variables prior to allowing connections. For instance, you can setup a flow to deny access to Mac-based machines or check to make sure that the client has a particular Anti-Virus application and version. Lots of neat stuff here and more to come.

Summary – WebVPN is the web portal that can host a variety of applications including Anyconnect. Anyconnect is the SSL based VPN client from Cisco.